This thread was archived. Please ask a new question if you need help.
How safe is syncing passwords?
I am setting up syncing between a few computers and I am wondering if syncing passwords is safe.
It is my understanding that when syncing passwords, they are first decrypted using the master password, then encrypted using the Sync key and sent on the server. After retrieving them on another device they are decrypted using the Sync key and then encrypted using the master password of that device. So they are not saved in clear text anywhere and it would appear that they are safe against someone getting access to any of my devices or to the sync server.
However, I see one possible way of getting the passwords. Let's suppose someone gets access to one of my devices. Then, they can go to the Sync tab in the Options and click on Pair a device. Using a device of their own, without a master password (or with their own), they get device syncing code and enter it on my device. Then, on their device, they have access to my passwords.
Am I right? Is such a thing possible? Wouldn't it be better to use the same master password on all devices to make such an attack impossible?
Thank you for your help!
All Replies (7)
Thank you for the prompt answer.
The link does not provide any information about my concern. I understand that the data is encrypted during transmission and on the sync server using a key only know by me.
But consider what would happen if someone compromised one of my devices (stole my laptop for example)? Since my passwords are encrypted using my master password on that device, that person could not retrieve them directly from my device. However, according to some tests I have done on dummy accounts, it seems that with access to my device, that person would simply need to enter the 12 character pairing code from another device of their own on my compromised device to sync their device with my data.
you don't have to worry about that. If your device is sinced with a computer then you can manage your account. See here: I've lost my Firefox Sync account information - What to do
Actually, I do have to worry about that if I use Firefox on Android. Someone who gains access to your Android device can get access to your passwords even if you use a master password.
Here is what I did to demonstrate the problem.
1 - I have a Firefox profile on Windows (let's call it device 1) with a master password.
2 - I set up Sync on the Windows device 1.
3 - I paired a Android tablet, let's call it device 2, where I also use a master password. When pairing the Android device, Firefox on Windows device 1 asked me for my master password, which probably indicates that the sync encryption key is encrypted with the master password. This seems safe. However, Android device 2 never asked for my master password, which seems to indicate that it is not encrypting the sync encryption key.
4 - Using the sync settings on Android device 2, I paired another Windows profile, let's call it device 3, where I am not using a master password (this could be any device owned by an attacker). The Android device never asked me for any password. After syncing, on device 3, my passwords are saved in clear. If I go to the Saved Passwords dialog, I can see them without entering any password. I even see the sync password and key (they are called Mozilla Services Passwords and Mozilla Services Encryption Passphrase).
So, in summary, if someone gains access to a Android device that you are syncing, they can obtain all your passwords, even if that device is protected with a master password.
Please excuse my bluntness, but did you even read my comment?
I do use a master password on my Android device. However, I am not asked for that password when syncing, which seems to indicate that the sync key is not encrypted with the master password (contrarily to Firefox on Windows). Furthermore, I have tested that I can pair another device from Android without ever being asked for my master password.
So, even if an attacker cannot directly see my passwords on the Android device (the master password is required for that), they can use the Android device to pair another device of their own and obtain my passwords that way. This is a major security bug.
For the time being, I will simply sync my bookmarks, but that significantly reduces the benefits of using Firefox Sync.
I believe your initial post is basically correct. Sync encrypts passwords over the network but not when stored locally; using a master password encrypts passwords when stored locally, but master passwords are not synced across devices. As a result, new devices need to be manually configured with a master password if you want to have security all the way through the system.
Note that if you do manually configure master passwords on all systems, then you will be required to enter that password before you add any new devices to sync. So an attacker can't just grab your Android phone and use it to sync a new device, because your Android already has a master password (which you set manually).
See this bug for more technical background on what is going on. Comment 17 is especially informative.